I am working at the operations department at a large, mostly Windows based, IT solutions company. Personally I am a Mac user, but I mostly use my Mac in "Mac environments".

We have got an inquiry about getting some Macs into the network domain. The main reason for this is authentication (the Mac users are already members of the domain and would like to login with these credentials), and to mount some network drives.

I have not done this before, and would like to know your ideas of the best way to implement these Macs into the domain. We are looking for free, or at least inexpensive, solution for this. I have looked into some of the solutions out there but would appreciate some feedback from someone who have worked with this in a production environment.

4 Answers
4

As already mentioned here, joining a Mac to a Windows domain is relatively easy. Moreover, as of 10.5 it can be done entirely from the command line, including where to put the computer if you prefer to put it in a non-default location. In fact, I developed just such a script for our engineers to use as a basis for migrating systems over. I found this document to be an incredible supplement to Apple's own documentation: Leveraging Active Directory on Mac OS X

However, I have not done converted the Macs in my environment because of the problem with user authorization. I find this to be a big problem, but I also work in Security :) There are AD extensions for the OSX attributes so you can get some of the same levels of configuration that you do with Windows in AD. However, your AD environment must be extended to support them.

If you don't mind having unmanaged machines where anybody with credentials can login, then add them. Having centralized authentication is almost always preferred. Unfortunately, for my systems, this limitation was a show stopper.

There is documentation on setting up an OSX Server as a middle-man between your Macs and the AD servers. You run OpenDirectory in what they call ‘subordinate’ mode. Supposedly, you can then completely manage the Macs as you would ordinarily, except the authentication is passed along to the AD box. The idea being that you will perform your user authorization at the OD server, and join your Macs to it (while also putting them in the AD kerberos domain). It sounds promising, but as I said, I did not have success getting the authorization to work correctly. The instructions are also in the pdf linked above.

Took a look at the link to the PDF, seems like that can be of great help. Thanks! As I understand it, what you mentions means that every user in the directory can login by default? This shouldn't be too much of a problem I think, but of course worth taking into consideration. AD extensions might be something we can do, unless it messes too much with the system. The environment consists of around 50k users/10k machines and only 30-50 of those would be Macs. Thanks for your feedback!;-)
–
EspenMay 31 '09 at 19:22

The authorization issue is definitely up to your environment. Ours is roughly the same size (if you count active users). But for the <10 Macs that I deal with I need to be able to guarantee the audience. There is a Mac native fix that I didn't mention originally, I've since added it.
–
Scott PackMay 31 '09 at 21:06

The capability to add them to the domain is free - it's built into OS X and can be automated during deployment using DeployStudio.

Actually managing them with Group Policy-like functionality is a different story - there are some third-party products available like AdmitMAC and Radmind which can help with this.

We have been adding our Mac devices to our domain for a few years now and haven't really encountered any issues with doing this. It simplifies life for the users and keeps authentication consistent. Their network home directories are automatically mapped to a desktop shortcut on login, which is another nice feature.

DeployStudio looks interesting. I will definitely have a look into that when I get back to work over the weekend.:-) Radmind is also new for me; I will have a look into that. AdmitMAC looks great indeed, but it is a bit on the expensive side. The main point is actually to make use of the autentication possibilities and to easily map up network locations. Thanks for your feedback, appreciated.;-)
–
EspenMay 31 '09 at 19:14

When you say "and to mount some network drives," be aware that Macs cannot access DFS shares without third-party software. AdmitMac claims it works, and it may at this point; when I dealt with it about a year ago DFS access was an unmitigated disaster.